Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing services controlled by third countries can only achieve Union Assurance Level 3; they are strictly excluded from Level 4. Article 18(1) empowers the Commission to recognize specific "associated third countries" that meet rigorous sovereignty and security criteria, permitting their providers to be audited for Level 3 recognition. However, Annex II, Section 4.1(g) explicitly mandates that Level 4 providers and their subcontractors must not be subject to any third-country control, with no derogation available. This tiered approach ensures that the EU's most sensitive public sector operations (Level 4) remain entirely free from foreign legal jurisdiction, while allowing for secure, conditional international cooperation in less critical public order areas (Level 3).

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a four-tiered Union cloud computing sovereignty framework. A central pillar of this framework is the distinct treatment of third-country control across assurance levels. The proposal creates an absolute barrier to third-country control at the highest tier (Level 4) while carving out a narrow, conditional pathway for "associated third countries" to access Level 3.

The Absolute Barrier at Level 4

Union Assurance Level 4 is reserved for the most sensitive public sector activities, including those involving national security, defense, and classified information. As set out in Annex II, Section 4.1(g), a cloud computing service provider seeking Level 4 recognition must demonstrate that neither the provider nor its subcontractors are "subject to the control of a third country or a legal entity established in a third-country."

There is no derogation, exception, or conditional pathway for Level 4. The rationale, reflected in the recitals, is that preserving public order at this highest level requires absolute operational autonomy and immunity from extraterritorial laws that could compel data access or service disruption. Even if a third country has an adequacy decision or a bilateral agreement, the text of the proposal does not permit a provider subject to that country's control to qualify for Level 4.

The Conditional Pathway for Level 3

In contrast, Article 18(1) introduces a specific mechanism for "associated third countries." The Commission may adopt implementing acts identifying third countries whose cloud providers, even if subject to that country's control, may be audited against the criteria for Union Assurance Level 3. This is explicitly a Level 3-only privilege.

For a third country to qualify as "associated," it must meet a cumulative set of stringent criteria listed in Article 18(1)(a)–(f):

  1. Adequacy Decision: The country must be subject to a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679 (GDPR).
  2. No Lawful Access Conflicts: It must have no measures enabling control over the provider that conflict with lawful access to non-personal data rules (specifically Article 32(2) and (3) of the Data Act).
  3. No Service Disruption: It must have no measures compelling the provider to degrade or disrupt service continuity.
  4. No Restrictive Measures: It must not oblige the provider to comply with restrictive measures (such as sanction regimes or embargoes) unless those measures are also legitimate under EU law or Member State law.
  5. Open Market: It must maintain an open market to Union cloud computing services.
  6. Reciprocal Access: It must grant equivalent levels of access to its public procurement procedures for cloud services controlled by a Union Member State or entity.

The Derogation Mechanism: Article 18 and Annex II

The legal bridge that allows a third-country controlled provider to enter the Level 3 category is found in Annex II, Section 3.1(g). While the general rule for Level 3 mirrors Level 4 by stating providers must not be subject to third-country control, it includes a specific derogation:

"By way of derogation to this criterion, a cloud computing service provider and its subcontractors which are involved in the provision of the audited service that are subject to the control of a third country or a legal entity established in a third-country may be audited for Union assurance level 3 where the Commission has adopted an implementing act under Article 18."

Note: The draft text in the proposal refers to "Article 19" in the Annex II cross-reference, but the explanatory memorandum and the structure of the regulation confirm this is a drafting slip referring to the "Associated third countries" mechanism in Article 18.

If the Commission adopts such a decision under Article 18, the provider must still demonstrate that they have implemented legal, technical, and organizational measures to ensure that third-country control does not:

  • Restrict the provider's ability to perform and deliver the service;
  • Impose limitations on infrastructure, assets, or personnel;
  • Undermine the capabilities and standards necessary to perform the service;
  • Allow access by a third country to customer data;
  • Enable disruption of service continuity or degradation of quality; or
  • Oblige the provider to comply with restrictive measures (unless legitimate under EU law).

Why the Distinction?

The differentiation reflects a risk-based proportionality principle embedded in the proposal. Level 3 services are intended for public sector activities that contribute to the preservation of public order (e.g., certain justice or law enforcement data that is not classified) but do not reach the threshold of the highest sensitivity. The EU aims to remain open and cooperative with international partners that offer robust privacy protections (hence the GDPR adequacy requirement) and reciprocal market access.

However, for Level 4, the risk of extraterritorial interference is deemed unacceptable regardless of bilateral agreements. The proposal posits that for the most critical functions, the EU cannot rely on the "goodwill" or legal frameworks of a third country, necessitating total exclusion of third-country control.

What this means for you

For in-house counsel, compliance officers, and public procurement teams, the distinction between Level 3 and Level 4 has immediate and critical implications for vendor selection and infrastructure planning.

1. Procurement and Vendor Selection Strategy

If your organization procures cloud services for activities deemed to have "public order relevance" under Article 29, you must first conduct a risk assessment to determine the required assurance level.

  • For Level 4 Requirements: You must exclude any provider subject to third-country control. This includes major non-EU hyperscalers unless they have established fully independent, EU-controlled legal entities that are demonstrably free from foreign jurisdictional reach (e.g., no board control, no veto rights, no remote access from the parent). You cannot rely on an "associated third country" designation to satisfy Level 4 criteria.
  • For Level 3 Requirements: You may consider providers from associated third countries, but only if the Commission has formally recognized that country under Article 18(1). You must verify that the specific provider holds the necessary audit report and "positive" audit opinion confirming they meet the derogation criteria in Annex II, Section 3.1(g).

2. Monitoring and Due Diligence

Compliance officers must actively monitor the status of "associated third countries." The Commission is required to publish a list of third countries that fulfill the requirements and those that no longer do so (Article 18(3)).

  • Dynamic Risk: If a country loses its status (e.g., due to a change in its laws or a revocation of its GDPR adequacy), any provider relying on that designation may immediately lose their eligibility for Level 3 recognition.
  • Contractual Safeguards: Your contracts should include clauses that address the consequences of such a loss of status, including potential migration timelines and termination rights.

3. Audit and Evidence Requirements

For providers from associated third countries seeking Level 3, the audit process is rigorous. Under Annex III, Audit Criterion 7.2, auditors must request specific evidence that the provider has implemented measures to enforce effective legal, technical, and organizational separation from the third country.

This includes demonstrating:

  • The ability to refuse data access requests from foreign authorities.
  • A record of any such requests and the provider's refusal.
  • That the provider is not legally, technically, or operationally compelled to comply with foreign requests.

Ensure your vendors can produce this documentation upon request. Mere assertions of independence are insufficient; the audit must be substantiated by evidence.

4. Deadlines and Transitions

Member States and Union entities must conduct risk assessments within one year of CADA's entry into force (Article 29(1)). If your current provider is a non-EU hyperscaler not covered by an associated third country decision, and your use case requires Level 3 or 4, you must plan for migration.

The regulation allows for a reasonable transition period of up to 12 months for such migrations (Article 29(6)). Start vendor assessments early to avoid service disruptions, as finding a Level 3 or 4 compliant provider may take time.

Common misconceptions

Misconception 1: "An EU subsidiary of a US company automatically qualifies for Level 4." Incorrect. Level 4 requires that the provider not be subject to third-country control. If the EU subsidiary is legally or operationally controlled by its non-EU parent (e.g., through board appointments, veto rights, centralized IT management allowing remote access, or financial dependency), it remains subject to third-country control. The audit criteria in Annex III require a deep dive into ownership structures, voting rights, and commercial links to determine if effective separation exists. Mere incorporation in the EU is insufficient.

Misconception 2: "GDPR adequacy is enough for Level 3." Incorrect. While a GDPR adequacy decision is a necessary condition for a third country to be considered "associated" under Article 18(1)(a), it is not sufficient. The country must also meet the other five criteria, including reciprocal market access and the absence of laws compelling service disruption. A country could have GDPR adequacy but fail the reciprocity test, disqualifying its providers from Level 3.

Misconception 3: "Level 2 allows third-country control." Incorrect. Like Levels 3 and 4, Annex II, Section 2.1(g) requires that Level 2 providers not be subject to third-country control, unless specific measures are in place to prevent such control from undermining service provision. However, there is no "associated third country" derogation for Level 2. The derogation in Annex II is explicitly limited to Level 3. This means a provider from a non-associated third country generally cannot achieve Level 2 or higher unless they can prove they are not subject to third-country control through other means (e.g., complete legal and operational independence).

Misconception 4: "The list of associated third countries is static." Incorrect. The Commission must repeal, amend, or suspend the decision if available information reveals the country no longer fulfills the requirements (Article 18(2)). Compliance teams must treat this as a dynamic risk factor and include contractual safeguards for scenarios where a vendor's home country loses its associated status.

Misconception 5: "The cross-reference in Annex II to 'Article 19' is correct." Incorrect. This is a known drafting slip in the proposal text. Annex II, Section 3.1(g) refers to an implementing act under "Article 19," but the mechanism for associated third countries is located in Article 18. The explanatory memorandum and the logical structure of the regulation confirm that the reference should be to Article 18.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.